Hi, The patch size is misleading: it's just a simple generalization of Jan Lieskovsky's Fedora's sshd_* fixes on shared/ and a bunch of symlinks. I could try to figure out how to break it, but I'm not sure it would help.
Thanks -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Wells Sent: quinta-feira, 29 de Maio de 2014 03:44 To: [email protected] Subject: Re: [PATCH 01/01] Several changes in sshd_* fixes (ignore previous) On 5/28/14, 11:55 AM, Rui Pedro Bernardino wrote: > From: Rui Bernardino<[email protected]> > > > Signed-off-by: Rui Bernardino<[email protected]> > --- > Fedora/input/fixes/bash/sshd_disable_rhosts.sh | 1 + > .../fixes/bash/sshd_do_not_permit_user_env.sh | 1 + > .../input/fixes/bash/sshd_enable_warning_banner.sh | 1 + > .../input/fixes/bash/sshd_use_approved_ciphers.sh | 1 + > .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- > RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- > RHEL/6/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- > .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- > .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- > RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- > RHEL/6/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- > .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- > .../fixes/bash/sshd_disable_empty_passwords.sh | 6 +-- > RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh | 6 +-- > RHEL/7/input/fixes/bash/sshd_disable_root_login.sh | 6 +-- > .../fixes/bash/sshd_do_not_permit_user_env.sh | 6 +-- > .../input/fixes/bash/sshd_enable_warning_banner.sh | 6 +-- > RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh | 9 +--- > RHEL/7/input/fixes/bash/sshd_set_keepalive.sh | 6 +-- > .../input/fixes/bash/sshd_use_approved_ciphers.sh | 6 +-- > shared/fixes/bash/sshd_disable_empty_passwords.sh | 42 ++++++++------- > shared/fixes/bash/sshd_disable_rhosts.sh | 57 > ++++++++++++++++++++ > shared/fixes/bash/sshd_disable_root_login.sh | 42 ++++++++------- > shared/fixes/bash/sshd_do_not_permit_user_env.sh | 57 > ++++++++++++++++++++ > shared/fixes/bash/sshd_enable_warning_banner.sh | 57 > ++++++++++++++++++++ > shared/fixes/bash/sshd_set_idle_timeout.sh | 43 ++++++++------- > shared/fixes/bash/sshd_set_keepalive.sh | 42 ++++++++------- > shared/fixes/bash/sshd_use_approved_ciphers.sh | 57 > ++++++++++++++++++++ > 28 files changed, 337 insertions(+), 166 deletions(-) create mode 120000 > Fedora/input/fixes/bash/sshd_disable_rhosts.sh > create mode 120000 Fedora/input/fixes/bash/sshd_do_not_permit_user_env.sh > create mode 120000 Fedora/input/fixes/bash/sshd_enable_warning_banner.sh > create mode 120000 Fedora/input/fixes/bash/sshd_use_approved_ciphers.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_disable_empty_passwords.sh > mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_disable_rhosts.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_disable_root_login.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_do_not_permit_user_env.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_enable_warning_banner.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_set_idle_timeout.sh > mode change 100644 => 120000 RHEL/6/input/fixes/bash/sshd_set_keepalive.sh > mode change 100644 => 120000 > RHEL/6/input/fixes/bash/sshd_use_approved_ciphers.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_disable_empty_passwords.sh > mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_disable_rhosts.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_disable_root_login.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_do_not_permit_user_env.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_enable_warning_banner.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_set_idle_timeout.sh > mode change 100644 => 120000 RHEL/7/input/fixes/bash/sshd_set_keepalive.sh > mode change 100644 => 120000 > RHEL/7/input/fixes/bash/sshd_use_approved_ciphers.sh > create mode 100755 shared/fixes/bash/sshd_disable_rhosts.sh > create mode 100755 shared/fixes/bash/sshd_do_not_permit_user_env.sh > create mode 100755 shared/fixes/bash/sshd_enable_warning_banner.sh > create mode 100755 shared/fixes/bash/sshd_use_approved_ciphers.sh Thanks, Rui! Gave a quick review and noted how you added logic to check the various stanzas for occurrence location of various configuration directives (e.g. in sshd_disable_empty_passwords). The changes are a bit hard to parse as a single patch. Mind breaking this into multiple patches? _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
